The plugin does not sanitise and escape the Album’s name before outputting it in pages/posts with a media embed, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered-html capability is disallowed
https://youtu.be/kTMg65teTvU Create an Album with the following payload as Name: test"> Add a media via the “Add/Import files” menu and select the album created above The XSS will be triggered when viewing the media post
CPE | Name | Operator | Version |
---|---|---|---|
grand-media | lt | 1.20.0 |